On Mon, 14 Oct 2002, Peter Kovacs wrote:
> I do not clearly understand what the problem is with someone typing in
> "foo'; DROP TABLE bar;" into the "Name" field on your web form.
If you do just a dumb string concatination, it can insert arbitrary
commands into your conversation with the postgres database. E.g.,
your code does this to construct the query:
"SELECT id FROM users WHERE name = '" + name + '"'"
and name, taken directly from the input field, is
foo'; DROP TABLE users; SELECT 'foo
Your query ends up being:
SELECT id FROM users WHERE name = 'foo'; DROP TABLE users; SELECT 'foo';
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC